Thursday, December 28, 2006

moving forward: the knowns and unknowns

We know security of websites must improve, heck it can’t get much worse. One major challenge we’re facing is not everyone agrees on what needs to be done. For example, if someone were to ask a mailing list, “what do I need to do to secure my website?”, they’d likely receive 20 different answers and perhaps get asked just as many questions. Conversely, if the same question was asked about a PC, you’d probably get 3 similar answers and maybe a question about why your using Windows (*just kidding*). This inevitably leaves website owners in a state of confusion unsure of what to do. Maybe they’ll do nothing.

I think the reason behind the lack of consensus is due to void of data and/or a means to measure success. We’re essentially flying blind. Let’s rhetorically consider several questions people commonly ask:

“How do I find out how many websites I have?”“What do they do and how *important* are they?”“Who’s responsible for them?”

Digging into a single website….

“How large and complex is the code base?” “What’s the rate of application code change?”

Narrowing down to vulnerabilities…

“What vulnerabilities do I have?”“Who’s fault is it and how do I prioritize their remediation?”“What do I do to protect myself in the meantime?”

Finally organizational changes…

“Which should I focus on, developer education or the use of a modern development framework?”“Which testing process is better, white box or black box or glass box?”

Answering these questions is anything but simple, largely dependent on any number of factors, unknown to any single person, and varies from organization to organization. The point is an organization must be able to understand its current state of affairs. And we as an industry must be able measure if a particular strategy or solution is working and if so how well. This brings us to where I think we are today. Best-practices based upon conventional wisdom held over from other areas of information security, which do not apply here. A harsh reality.

To begin looking at things in fresh and new perspective, I find its helpful to line up the "knowns" and "unknowns" for a particular problem set. From there it’s easier to spot trends, relationships, inconsistencies, and areas that should yield immediate return from investigation.

In what would normally be considered the largest, most popular, and “secure” websites, it’s found the vast majority have serious vulnerabilities. We have no idea about the security of the mid and lower end websites which are typically not assessed.

Those typically in charge of information security do not have the same level of control over the safety of their websites as they do at the network infrastructure level. Consequently, the responsibility of website security is unassigned or rests among several constituencies.

Attacks targeting the web application layer are growing year over year in number, sophistication, and maliciousness. Real would visibility into these attacks are extremely limited.

Firewalls, patching, configuration, transmission/database encryption, and strong authentication solutions do not protect against the majority of web applications vulnerabilities.

All software has defects and in turn will have vulnerabilities. Security enhancements provided by modern development frameworks help to prevent vulnerabilities, though will not eliminate them altogether. Measured benefit is unknown.

Change rate of commerce web applications is relatively rapid updated with incremental revisions. Traditional PC or enterprise software tends to be slower with larger versioned builds. Web applications tend to have a steady and faster flow of vulnerabilities.

Developer education in software security and implementing security testing inside the quality assurance phase reduces the number of vulnerabilities, but will not eliminate them. See #5. The overall expected reduction of vulnerabilities as a result is unknown.

It’s impossible to find all vulnerabilities through automation, which requires a significant amount of experienced human time to complete thorough security testing. How much time is required and how close the process will come to finding everything is debatable.

Web application security is a new and complex subject for which there is a limited population of experienced practitioners relative to the amount of workload.

Web browser security is largely and fundamentally broken leaving unable to protect users against modern attacks. The situation hasn’t significantly improved with Firefox 2.0 or Internet Explorer 7.0. and it’s unclear it future releases will attempt to address the problem.

What does this tell us? A lot of things actually. First and foremost, there is a lot of work to do *like we didn’t know that already*. Here are a couple of my observations:

Solutions must come from areas other than "fixing" the code

We need to invest resources into measuring ROI from various solutions and best-practices

2 comments:

Another part of the uphill battle is that the security practitioners are fare more motivated by security than software engineers and developers. Engineers and developers are motivated by functionality and features, which in turn drive revenue. Security doesn't make money, it saves money, and it's hard to measure precisely how much money because the probability of a specific attack is also difficult to measure.

There's a post on my blog to a similar effect. I'll be sure to reference this one now.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!